Prompted by the mass shooting in Las Vegas, HHS’s Office for Civil Rights issued guidance clarifying when covered entities can share a patient’s protected health information with family, friends and others involved in the patient’s care. Continue Reading
The International Conference of Data Protection and Privacy Commissioners, a collection of data and privacy regulators from around the world, recently issued non-binding guidance concerning the privacy rights of autonomous and connected vehicle users. The guidance calls on manufacturers and service providers to “fully respect the users’ rights to the protection of their personal data and privacy and to sufficiently take this into account at every stage of the creation and development of new devices or services.” The guidance may instruct future international data enforcement actions, meaning entities could be fined for failing to comply. Among its many instructions, the guidance encourages manufacturers and service providers to: Continue Reading
The FTC announced that it has given guidance on when the Children’s Online Privacy Protection Act (COPPA) requires collection of parental consent before collecting voice recordings online from children under 13. The issue arose because, as the FTC noted, voice is beginning to be a “replacement for written words,” especially when conducting searches or instructing digital devices. COPPA requires collecting parental consent before collecting personally identifiable information from children online. The definition of “personal information” under COPPA is broad, and includes audio files. Arguably, then, online operators would need parental consent before children “submitted” audio files, including in the form of conducting verbal searches or giving verbal instructions to their connected device. Continue Reading
In the much anticipated first annual review of the EU-US Privacy Shield program, the European Commission concluded that the program continues to provide adequate protection for personal information transferred from Europe to the United States. The Privacy Shield lets EU entities send personal information to participating US companies without running afoul of EU law – law which prohibits the exporting of personal information to entities located in countries whose laws were not deemed “adequate” (except in certain limited circumstances). The US has not been deemed to have “adequate” laws (only a few non-EU countries have been determined adequate, among them Canada, Israel, New Zealand, Switzerland and Uruguay). Continue Reading
A Florida court recently broke with other district courts in its circuit when it concluded that a plaintiff lacks standing to sue a defendant for mere technical violation of the Fair and Accurate Credit Transactions Act (FACTA) unless the plaintiff has been harmed. FACTA prohibits printing more than the last five digits of a credit card number or the expiration date on a receipt. In the case in question (Gesten v. Burger King Corp.) the plaintiff alleged that Burger King violated FACTA when it provided him with a receipt which identified his payment method as a debit card, identified the issuing company (e.g., Visa, American Express), and included the first six and last four digits of his account number. Continue Reading
Employees of Peacock Foods, an Illinois-based food product manufacturer, recently filed a lawsuit against their employer for alleged violations of Illinois’ Biometric Information Privacy Act. Under BIPA, companies that collect biometric information must inter alia have a written retention policy (that they follow). As part of the policy, the law states that they must delete biometric information after they no long need it, or three years after the last transaction with the individual. Companies also need consent to collect the information under the Illinois law, cannot sell information, and if shared must get consent for such sharing. Continue Reading
Nevada, Oregon and New Jersey recently passed laws focusing on the collection of consumer information, serving as a reminder for advertisers, retailers, publishers and data collectors to keep up-to-date, accurate and compliant privacy and information collection policies. Continue Reading
There were new developments regarding the Sabre cyber breach this past week, as the travel industry and the public are learning more about its scope and scale.
To recap, in early May, Sabre, Inc., which provides electronic travel booking services, disclosed that it was investigating “an incident of unauthorized access to payment information contained in a subset of hotel reservations processed through [its] Hospitality Solutions SynXis Central Reservations system.” That system serves 32,000 properties. Sabre stated that it had shut off the unauthorized access and had engaged a security forensics firm to investigate. Continue Reading
Two recent judgments against Dish Network LLC (“Dish”) for violations of the Telephone Consumer Protection Act (TCPA) and similar state and federal laws demonstrate the significant liability companies may face based on the actions of their third-party contractors. Dish has been ordered to pay a total of approximately $341 million in two separate federal court actions related to TCPA violations committed by its marketing service providers. Both cases underscore the importance of maintaining strong vendor oversight in the highly regulated telemarketing industry.judge Continue Reading
How The EU Data Privacy Regulation Will Affect American Companies’ Data Collection and Processing Practices – and Their Revenue
For American companies who do business in Europe or who process the personal data of EU residents, the world of data privacy and security is about to get much more complicated. While U.S. privacy law is unsettled, with rapidly proliferating state and federal laws and regulations and uncertainty as to how strictly they will be enforced, the rules in the European Union are tough and about to get much tougher. The General Data Protection Regulation (EU) 2016/679 (GDPR), slated to take effect in May 2018, will give consumers in the EU substantially more control over how their personal data is used. The increased control includes the right to:
- access any personal data that has been collected,
- obtain confirmation about whether an individual’s data is being processed, and
- require that the data be “erased” if the consumer withdraws consent.