Photo of Julia Kadish

Julia Kadish is an associate in the Intellectual Property Practice Group in the firm's Chicago office and is a member of the Privacy and Cybersecurity Team.

Indiana has now become the seventh US state to enact a comprehensive privacy law after Senate Bill 5 (“SB5”) was signed by the governor on May 1, 2023. The new law will go into effect January 1, 2026, and is almost identical to recent comprehensive privacy laws in other states.

Continue Reading Governor Signs: Hoosier State Adds to the US Privacy Patchwork

In this third post in our ongoing series, we examine the scope of the consent requirements under the recently enacted My Health My Data Act. (Visit here for information about the scope of the law and here for information about consumer rights). The Act imposes consent requirements on a wide range of common processing activities.

Continue Reading My Health My Data Act: Consent Requirements

In this second post in our ongoing series, we examine the scope of rights given to consumers under the recently enacted My Health My Data Act. (Visit here for information on the scope of the law). The law provides consumers several rights, all of which are in other privacy laws. However, the requirements associated with some of these rights create some unique challenges.

Continue Reading My Health My Data Act: Consumer Rights

On April 27, 2023, the state of Washington enacted a landmark privacy law aimed at protecting the privacy of health data not covered by HIPAA. While the 2023 legislative season has been busy for state “comprehensive” privacy laws, this law is likely to have the most impact on businesses. The My Health My Data Act covers a very wide range of entities, consumers, and data, as we describe below. And, it contains a private right of action. With the law coming into effect in the first half of 2024, organizations will want to take steps now to understand the scope of this law and its onerous obligations.

Continue Reading My Health My Data Act: Scope of the Law

Utah’s breach notification requirements will change on May 3, 2023. The recently amended data breach notification law now requires companies to notify the Attorney General for a breach involving 500 or more state residents. If the breach involves 1,000 or more residents, then notification to each consumer reporting agency is also required.

Continue Reading Utah Amends Data Breach Law, Creates Cyber Center

The California Privacy Protection Agency (CPPA) Board recently met and unanimously voted to finalize the proposed final CPRA regulations. This approved version was first released in January and updated those released in November 2022. Along with the proposed final CPRA regulations, the CPPA published a draft final statement of reasons and appendices containing responses to the comments received during the public comment periods.

Continue Reading CPRA Update: Moving Toward Finalization

Two states recently passed laws with specific data security requirements for entities that are gaming operators or licensees. These new regulations in Nevada and Massachusetts add to the already complex set of data security laws that exist at the federal and state level. In the US, companies may be subject to certain data security laws because of the type of information they collect or because of the industry they are in (financial, healthcare, insurance, telecommunications, etc.). The gaming industry is the latest to add to the mix.

Continue Reading Gaming Operators Latest to See Specific Privacy & Cybersecurity Laws

On Friday, February 3, the CPPA is scheduled to meet about current and forthcoming CPRA regulations. The Board had previously signaled that it expected to finalize the draft regulations in late January or early February 2023. The agenda confirms that the CPRA regulations will be discussed, including “possible adoption” or “modification” of the text.

Continue Reading Movement on CPRA Regulations Expected

The FTC is closing out 2022 with additional guidance for mobile health app developers signaling its continued interest in this industry. Since 2021, we have seen several steps from the agency demonstrating a focus on companies that collect health information but may not be a covered entity or business associate under HIPAA. This includes publishing additional resources, releasing commentary broadly interpreting the FTC’s Health Breach Notification Rule, and enforcement activity. Most recently, the FTC and other key regulators updated its “Mobile Health App Interactive Tool”.

Continue Reading FTC and Other Regulators Continue to Signal Interest in Mobile Health Apps

Pennsylvania recently amended its data breach notification law to expand its definition of personal information and provide for a HIPAA exception. The process for providing notice in the event of a username/email breach has also changed. The amendments will not be effective until May 2, 2023.

Continue Reading Pennsylvania Amends Breach Notification Law