Photo of Julia Kadish

Julia Kadish is an associate in the Intellectual Property Practice Group in the firm's Chicago office and is a member of the Privacy and Cybersecurity Team.

The FTC is closing out 2022 with additional guidance for mobile health app developers signaling its continued interest in this industry. Since 2021, we have seen several steps from the agency demonstrating a focus on companies that collect health information but may not be a covered entity or business associate under HIPAA. This includes publishing additional resources, releasing commentary broadly interpreting the FTC’s Health Breach Notification Rule, and enforcement activity. Most recently, the FTC and other key regulators updated its “Mobile Health App Interactive Tool”.

Continue Reading FTC and Other Regulators Continue to Signal Interest in Mobile Health Apps

Pennsylvania recently amended its data breach notification law to expand its definition of personal information and provide for a HIPAA exception. The process for providing notice in the event of a username/email breach has also changed. The amendments will not be effective until May 2, 2023.

Continue Reading Pennsylvania Amends Breach Notification Law

The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security measures stemming from the company’s alleged failure to devote sufficient resources or attention to data security.

Continue Reading FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations

Companies who participate in the AdTech and digital advertising eco-system are very familiar with the Interactive Advertising Bureau and its form advertiser agreements. Those agreements can help streamline negotiations, presenting the parties with, essentially, a pre-negotiated approach to common issues. When CCPA was passed, IAB updated its form to address that law and address consumer notice and consent. With the upcoming laws in California, Colorado, Connecticut, Utah and Vermont, the document is now outdated.

Continue Reading IAB Steps In State Signal Morass

The talk of “opt-out preference signals” or global privacy controls (GPC) has been increasing as companies dig into the forthcoming requirements under US “comprehensive” privacy laws. What is an opt-out preference signal? An “opt-out preference signal” also known colloquially as ”GPC,” is a signal sent by a platform or technology on behalf of a consumer that communicates the consumer’s choice to opt out of sale or sharing. Below, we summarize how each of the states treats this requirement.

Continue Reading Comparing and Contrasting the Opt Out Preference Signal Across States

With 2023 quickly approaching, many are spending this final quarter preparing for the five US state “comprehensive” privacy laws. Some of these contemplate clarifying regulations with technical and operational requirements. Requirements that will impact preparation activities.

Continue Reading State Comprehensive Privacy Laws: Status of the Regulations

The EDPB recently announced its second topic for coordinated enforcement. At a national level, data protection authorities in the EU will be looking into the position of the data protection officer. The results of these national actions are analyzed and bundled, generating deeper insights into a particular topic. Last year, the EDPB had selected the use of cloud-based services by the public sector for its first coordinated enforcement action. So, this second topic will be of more relevance to a wider set of organizations. Given that the report on the outcome of the 2022 coordinated action is expected to be adopted before the end of the year, companies can expect a report on the DPO position sometime in 2023.

Continue Reading EU Regulators to Take Closer Look at DPO Position

Companies transferring personal data out of the EU or UK are reminded of key deadlines approaching for the contracts that govern these transfers. When the European Commission adopted the new Standard Contractual Clauses (SCCs) in 2021, it set a deadline of December 27, 2022 for existing contracts under the old SCCs. This means that by December 27, 2022 onward, all existing contracts using the old SCCs will need to be replaced by the new terms.

Continue Reading Deadlines for EU and UK Standard Contractual Clauses Approaching

Companies subject to California’s Consumer Privacy Act (CCPA) may soon need to figure out how to scale their privacy compliance programs to include employee and B2B information. The current exemptions that exist for most of the law’s requirements to this type of information are set to expire January 1, 2023.

Continue Reading CCPA May Soon Apply to Employee and B2B Information

The FTC recently announced an ambitious Advance Notice of Proposed Rulemaking (ANPR) broadly aimed at a host of privacy and data security issues. This is the first step by the agency to explore using its Section 18 rulemaking authority under the FTC Act to issue a broad consumer privacy-focused trade regulation rule. The ANPR poses 95 questions and various topics, ranging from collection of information from children, to consent, data security, biometrics, artificial intelligence, and automated decision-making. The ANPR is focused on the impact to consumers and as workers or employees in a business capacity.

Continue Reading FTC Announces Proposed Rulemaking On Privacy and Data Security