The BR Privacy & Security Download: April 2023

The BR Privacy & Security Download

Welcome to this month's issue of The BR Privacy & Security Download, the digital newsletter of Blank Rome’s Privacy, Security & Data Protection practice. We invite you to share this resource with your colleagues and visit Blank Rome’s Privacy, Security & Data Protection webpage for more information about our team.


Iowa Passes Comprehensive Privacy Law
Iowa became the sixth state to pass comprehensive privacy legislation, adopting a law that more closely aligns with Utah’s Consumer Privacy Act than any other state privacy laws passed to date. Iowa’s Act Relating to Consumer Data Protection (the “Act”) will apply to businesses that (a) control or process the personal data of at least 100,000 Iowa consumers or (b) control or process the personal data of at least 25,000 Iowa consumers and derive 50 percent or more gross revenue from the sale of personal data. The Act provides for a number of exemptions typical of other state privacy laws, including exemptions for financial institutions and data regulated by the Gramm-Leach-Bliley Act, entities and data subject to the Health Insurance Portability and Accountability Act, and data subject to the Fair Credit Reporting Act. Like other states, the Act provides consumers with various rights, such as the right to delete personal data, opt out of the sale of personal data, and confirm processing. The Act does not provide consumers with a right to correct personal data. There is no private right of action under the Act, which will be enforced solely by the state attorney general. The Act will go into effect on January 1, 2025.

Revised Colorado Privacy Act Rules Finalized
The Colorado Attorney General’s Office finalized the rules implementing the Colorado Privacy Act (“CPA”). Notable changes from the previous draft include requirements for controllers to: (i) honor requests from any of the universal opt-out mechanisms included in the list to be maintained by the Colorado Department of Law within six months of their addition to the list; (ii) retain records of compliance and rights requests for at least 24 months; and (iii) annually review digital or physical photographs and audio or voice recordings to ensure that storage is still necessary for the express processing purpose. The final rules also clarify that the sale of sensitive data to one party is not necessary to or compatible with the sale of that data to a different party, likely meaning that controllers will need to provide consumers with the ability to consent to the sale of sensitive data to each third party the controller sells data to. The rules take effect on July 1, 2023, when the CPA takes effect.

Amendments to the CPRA Introduced
The California Legislature has introduced several amendments to the California Privacy Rights Act (“CPRA”). AB 947 would amend the CPRA to expand the definition of “sensitive personal information” to include personal information that reveals a California resident’s citizenship or immigration status. AB 1194 would require businesses to comply with the CPRA when processing personal information related to the access, procurement, or search of services regarding contraception, pregnancy care, and perinatal care, including abortion services. AB 1546 would extend the period of time the California Attorney General can commence an action to enforce the CPRA to five years after the cause of action accrued —a significant departure from existing law that imposes a one-year statute of limitations for statutory enforcement actions.

CPRA Regulations Take Effect
On March 30, 2023, California’s Office of Administrative Law (“OAL”) approved the final regulations implementing the CPRA (“CPRA Regulations”) that were drafted by the California Privacy Protection Agency (“CPPA”). The CPRA Regulations update existing California Consumer Privacy Act (“CCPA”) regulations to harmonize them with the amendments adopted pursuant to the CPRA, operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law, and reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand. With the approval from the OAL, the CPRA Regulations have come into effect and will be submitted to the California Secretary of State for filing.

Utah Approves Law Restricting Social Media for Minors
Utah Governor Cox signed into law SB-152 and HB-311, together, enacting the Utah Social Media Regulation Act (the “Act”). The Act, effective March 1, 2024, requires social media companies to verify users’ ages, to obtain parental consent for Utah residents under the age of 18 to create or maintain an account, and to grant parents/guardians access to such accounts. For such accounts, the Act also imposes a 10:30 p.m.–6:30 a.m. access curfew, bans certain account features (e.g., direct messaging), and prohibits social media companies from engaging in certain data practices (e.g., advertising) or “using a design or feature that causes a minor to have an addiction to the . . . platform.” The Act grants Utah’s Consumer Protection Division enforcement and auditing authority and creates a private right of action for attorneys’ fees and damages incurred.


White House Releases National Cybersecurity Strategy
The White House released its National Cybersecurity Strategy (the “Strategy”), the first White House cybersecurity strategy to be issued since the creation of the Office of National Cyber Director (“ONCD”). The Strategy seeks to rebalance the responsibility of defending cyberspace from smaller and local actors to those the administration deems most capable and best positioned to do so and realign incentives to favor long-term investments in cybersecurity. The Strategy revolves around five pillars: (i) defend critical infrastructure; (ii) disrupt and dismantle threat actors; (iii) shape market forces to drive security and resilience; (iv) invest in a resilient future; and (v) forge international partnerships to pursue shared goals. Implementation of the Strategy will be coordinated by the ONCD and the Office of Management and Budget and overseen by the National Security Council.

SEC Advances Three New Cybersecurity Rule Proposals
The Securities and Exchange Commission (“SEC”) proposed three rules related to cybersecurity. The first proposal would amend Regulation S-P to require covered institutions to adopt a written incident response program, notify affected individuals of a data breach, and maintain written records documenting their compliance with Regulation S-P’s rules. The second proposal would require certain entities to maintain and regularly update written cybersecurity policies and procedures, provide immediate written notice to the SEC of significant cybersecurity incidents, and publicly disclose summaries of cybersecurity risks and incidents. The third proposal would amend Regulation Systems Compliance and Integrity (“SCI”) to increase the scope of entities covered by Regulation SCI and expand its requirements. This includes specifying what must be included in security policies and procedures, requiring notice to the SEC of certain “systems intrusions” without delay, updating annual SCI compliance reviews, and including key third-party providers in covered entities’ business continuity/disaster recovery testing.

CFPB Launches Inquiry into Data Collection Practices of Data Brokers
The Consumer Financial Protection Bureau (“CFPB”) issued a “Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information” to help guide its rulemaking under the Fair Credit Reporting Act (“FCRA”). According to CFPB Director Chopra, the inquiry seeks to understand the scope and breadth of data brokers and “modern data surveillance practices” which have allowed companies to “monetize [individuals’] most sensitive data.” The CFPB is specifically interested in understanding the business models and practices of the data broker market and individuals’ direct experiences with such companies, including individuals’ attempts to remove, correct, or regain control over their data. Public comments may be submitted via the Rulemaking Portal until June 13, 2023.

Bill Introduced to Amend the Gramm-Leach-Bliley Act
Representative McHenry (NC-R) introduced to Congress the Data Privacy Act of 2023, HR-1165 (the “Bill”), seeking to amend the Gramm-Leach-Bliley Act (“GLBA”), which regulates how covered financial institutions collect, process, disclose, and protect consumers’ nonpublic personal information (“NPI”). The Bill proposes to amend the scope of Title V of the GLBA by (i) expanding GLBA-covered “financial institution” to include “data aggregators”; (ii) broadening the definition of protected NPI to align more closely with the definition of “personal information” under the California Privacy Rights Act (“CPRA”); and (iii) extending financial institutions’ obligations, including new privacy notice requirements, beyond customers and to individuals with a “customer or consumer relationship” with the institution. If enacted, the Bill would establish consumer rights similar to those found under the CPRA, including the right to request access to and to delete NPI, and the right to opt out of disclosures of NPI with non-affiliated third parties.

UPHOLD Privacy Act Introduced to Protect Health and Location Data
Senators Klobuchar (D-MN), Warren (D-MA), and Hirono (D-HI) introduced the Upholding Protections for Health and Online Location Data (UPHOLD) Privacy Act (the “Act”) to expand privacy protections over individuals’ personally identifiable health and location data. Among other things, the Act would (i) prohibit the use of individuals’ health data collected from any source for commercial advertising purposes; (ii) restrict the collection, retention, use, and disclosure of (including employee and service provider access to) health data without the individual’s express consent; (iii) require certain privacy policy disclosures; and (iv) prohibit the sale of location data to/from data brokers. The Act would also grant individuals the rights to request access to and deletion of their data and to bring a private right of action against “covered entities,” as defined under the Health Insurance Portability and Accountability Act (“HIPAA”) and data brokers for violations of the Act.

House Committee Holds Hearing on Federal Privacy Law
The House Committee on Energy and Commerce’s Subcommittee on Innovation, Data, and Commerce held a hearing on promoting U.S. Innovation and Individual Liberty through a national standard for data privacy. House members voiced support for picking up the American Data Privacy and Protection Act, legislation that was proposed in the last Congressional session. Substantial hurdles, including obtaining consensus on preemption and enforcement, still stand in the way of passing federal legislation. However, the hearing demonstrated bipartisan support for a federal privacy regulatory framework to both protect consumer privacy interests and lessen the burden on businesses facing complex compliance requirements across multiple jurisdictions.

TSA Announces New Cybersecurity Requirements for Airports and Aircraft Operators
The Transportation Security Administration (“TSA”) issued a new cybersecurity amendment on an emergency basis to the security programs of certain TSA-regulated airport and aircraft operators, following similar measures previously adopted for passenger and freight railroad carriers. The cybersecurity amendment requires covered entities to develop an approved implementation plan, describing measures the entities are taking to improve their cybersecurity and prevent disruption and degradation to their infrastructure. The entities must also (i) develop network segmentation policies and controls so that operational technology systems continue to operate in the event of a compromise of information technology systems; (ii) implement access controls to secure and prevent unauthorized access to critical cyber systems; (iii) implement continuous monitoring and detection policies and procedures to defend against, detect, and respond to cybersecurity threats; and (iv) apply security patches and updates for operating systems, applications, drivers, and firmware on critical cyber systems in a timely manner using a risk-based methodology.


FTC Issues Proposed Order against BetterHelp
The Federal Trade Commission (“FTC”) has issued a proposed order banning online counseling service, BetterHelp, Inc. (“BetterHelp”), from sharing consumers’ health data, including information about mental health challenges, for advertising purposes. The proposed order requires BetterHelp to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive data with social media sites for advertising purposes after promising to keep such data private. This is the first FTC action returning funds to consumers whose health data was compromised. The proposed order also requires BetterHelp to obtain affirmative express consent before disclosing personal information to third parties for any purpose, put in place a comprehensive privacy program that includes security safeguards to protect consumer data, direct third parties to delete the consumer health and other personal data that BetterHelp revealed to them, and limit how long it can retain personal and health information according to a data retention schedule.

New York Attorney General Settles with Law Firm for Data Breach
New York Attorney General Letitia James has settled with the law firm Heidell, Pittoni, Murphy & Bach LLP (“HPMB”), which maintains patients’ personal information in connection with its representation of hospitals, for a data breach that occurred in 2021. The breach compromised 114,979 patients’ personal information, including birth dates, social security numbers, health insurance information, medical history, and/or treatment information. The attacker was able to exploit a vulnerability in HPMB’s Microsoft Exchange email server to gain access to HPMB’s systems. Microsoft had released patches for this vulnerability several months earlier, but HPMB did not timely apply these patches. HPMB’s data security failures violated state law and the Health Insurance Portability and Accountability Act (“HIPAA”). As part of the settlement, HPMB will pay $200,000 in penalties and strengthen its cybersecurity measures, such as maintaining a comprehensive information security program, encrypting personal information, and establishing a patch management and penetration testing program.


U.K. Releases Draft Data Protection Bill
U.K. Secretary of State for Science, Innovation, and Technology, Michelle Donelan, introduced the Data Protection and Digital Information (No. 2) Bill (the “Bill”) to Parliament. The first version of the Bill was originally introduced in July 2022 but was put on hold following Liz Truss’ appointment as prime minister. The Bill contains a number of reforms aimed at creating a more business-friendly privacy regulatory framework. Changes include requiring records of processing activities only for organizations that carry out processing activities likely to result in “high risk to the rights and freedoms of data subjects,” inclusion of a non-exhaustive list of activities that may be considered a legitimate interest of a controller, and increasing fines for nuisance calls and texts to the greater of 4percent of global turnover or £17.5 million.

Use of Popular Website Analytics Tool Held Unlawful by Norwegian Data Protection Authority
The Norwegian Data Protection Authority, the Datatilsynet, joined the data protection authorities of Austria, France, Italy, and Finland by announcing a preliminary determination that use of the Google Analytics tool violates the European Union General Data Protection Regulation (“GDPR”). Specifically, the Datatilsynet determined that use of the tool by a Norwegian website violated GDPR cross-border transfer rules. The finding of the Datatilsynet is preliminary, and the parties to the case being heard by the regulator will now have an opportunity to comment on the Datatilsynet’s decision before a final decision is issued.

Norwegian Data Protection Authority Fines American Medical Device Maker
The Datatilsynet fined American medical device company Argon Medical Devices (“Argon”) 2.5 million Norwegian Krone (approximately $242,000) for a failure to timely report a data breach to authorities. Argon discovered a security breach affecting its European employees in July 2021 but did not report the breach to the Datatilsynet until September 2021. The Datatilsynet stated that Argon did not believe it needed to report the security breach until it had completed its review of the incident and all of its consequences. However, the GDPR mandates that data controllers report breaches to the appropriate data protection authorities within 72 hours of discovery and the Datatilsynet confirmed that controllers cannot wait to send such notification until completion of the applicable investigation.

China Proposes National Data Bureau to Centralize Regulation of Digital Economy
China State Council Secretary General Jie proposed the creation of the National Data Bureau (the “Bureau”) as part of a sweeping overhaul of State and Party institutions, including powerful agencies such as the Cyberspace Administration of China and the Ministry of Industry and Information Technology. Following China’s crackdowns on large businesses engaged in illegal data practices, the proposal is intended to centralize regulatory authority over its digital economy. The Bureau would oversee the advancement and construction of China’s data infrastructure (e.g., cross-border data transfers, consumer privacy protections, and the use of algorithms) and further coordinate the integration, sharing, development, and utilization of data resources. The proposal was made during the National People’s Congress’ annual legislative session which concluded in mid-March 2023.


© 2023 Blank Rome LLP. All rights reserved. Please contact Blank Rome for permission to reprint. Notice: The purpose of this update is to identify select developments that may be of interest to readers. The information contained herein is abridged and summarized from various sources, the accuracy and completeness of which cannot be assured. This update should not be construed as legal advice or opinion, and is not a substitute for the advice of counsel.