We posted earlier this year about increased scrutiny of cryptocurrency advertising, especially the promotion of Initial Coin Offerings, or ICOs. The key takeaway from that post was that the frenzy around cryptocurrencies – including as an investment opportunity for individuals who aren’t otherwise active investors – has led to a number of efforts to curtail cryptocurrency promotion, from both regulators and industry stakeholders.… More
In the 9th Circuit’s August 15, 2017 decision in Robins v. Spokeo, the latest in the long-running legal debate about when a consumer cause of action exists for a data breach, the 9th Circuit has declared that inaccuracies in a published credit report may sometimes constitute a “concrete injury” sufficient to confer Article III standing. This is a significant win for consumer protection advocates,… More
What is the future of data privacy regulation in Massachusetts?
On March 24, 2016, the Massachusetts Attorney General’s Office gave us a glimpse. In collaboration with Harvard’s Berkman Center for Internet and Society, and MIT’s Internet Policy Research Initiative and Computer Science and Artificial Intelligence Laboratory, the AG’s Office convened a “Forum on Data Privacy.” In this first-of-its-kind conference,… More
The COPPA Rule requires website and online service operators to give notice to parents and obtain verifiable parental consent before collecting children’s “personal information” online. 16 CFR §§ 312.4, 312.5. The definition of “personal information” encompasses some obvious pieces of data – name and address, for example – and some less-obvious ones, such as screen names, geolocation data, and “persistent identifiers.” A “persistent identifier” is a piece of information “that can be used to recognize a user over time and across different web sites or online services,” such as “a cookie,… More
On 15 December 2015, the three main European institutions, the Commission, the Parliament and the Council, agreed on the final text of the General Data Protection Regulation (GDPR) which has been on the table since January 2012. This is a major achievement, given the number of obstacles that still needed to be overcome a few weeks ago in order to meet the end of 2015 deadline for finalizing the GDPR. … More
Late last night, HHS OCR issued its anticipated guidance on “The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Being Prescribed for the Individual.” A new “Fact Sheet” and corresponding “Frequently Asked Questions” attempt to explain how the refill reminder exception to the marketing rule works, and seek to address both the scope of communications that fall within the exception,… More
You may have seen the recent lawsuit alleging that HIPAA’s marketing regulations are unconstitutional. In that case, the plaintiff is a company that “provides a refill reminder service and other adherence messaging services,” Adheris, Inc.
Adheris sued the Department of Health and Human Services because HIPAA’s regulations threaten to put it out of business. In particular, HIPAA now requires patient authorizations for its kind of patient reminders. … More
The revised HIPAA regulations were formally published today in the Federal Register. In this form, they only take up 138 pages!
Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes. While I’m not sure I agree with the quote that “This is a paradigm shift in the privacy world,” I do agree that this is “definitely something for all businesses to pay attention to.” Similarly,… More
The FTC announced today that it has, at long last, modified its Red Flags Rule to match the language of theRed Flag Clarification Act of 2010. As this blog explained in 2010:
As originally drafted, “creditors” would have included anyone “who regularly extends, renews, or continues credit” or “who regularly arranges for the extension, renewal, or continuation of credit,” 15 U.S.C.… More
Today’s Law360 addresses “HHS Data-Scrubbing Guidance” with quotes from me and others on the subject:
Clarifying the types of data that need to be removed from data sets can also help companies maximize the value of the information that they hold as the value of and ability to use this data for research and public health purposes increases, Foley Hoag LLP security and privacy practice co-chair Colin Zick added.… More